RE: Pattern matching search tool

[Paul Schmehl <pauls () utdallas edu>]

--On Thursday, January 06, 2005 08:07:13 AM +0530 "ALD, Aditya, Aditya 
Lalit Deshmukh" <aditya.deshmukh () online gateway expertworks net> wrote:
> Dear paul I think you answered your own question over here - its perl!

Yeah, I'm beginning to think that's what I'm going to have to do.

> However there is another tool ntop that I use quite a lot.
I apologize for the vague nature of my request.  I'm not looking for tools 
that can analyze network traffic.  I already have plenty of those.  I'm 
looking for tools that can search my network for *computers* that have 
*passive* (or active) content that I'd rather they didn't have.

The example I gave was phpBB.  If a worm named Santy comes out that attacks 
phpBB *specifically*, I'd like to know how many machines on my network have 
phpBB on them *regardless* of whether or not they have any active traffic.

There's a number of ways to do this manually.  You can Google for it, then 
check each box to see if it still has the installation (things change, you 
know.)  You could run nessus and correlate the data.  You could run nmap 
looking for the open ports (like 80) and then do some banner grabbing.

But all these methods involve labor *and* require that you react to an 
event.  I'm looking for something *proactive* that can "crawl" my network 
and report (by email or to mysql, etc.), that can be automated but allows 
me to do "special" searches if I want to.

Sort of a combination of ngrep, ntop, nessus, p0f, webcrawler, open port 
searcher, grep, find, locate, etc., etc.  A "Swiss army knife" discovery 
tool, if you will.

And the more I think about it, the more I feel a perl script coming on.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html